PERSONAL DATA STORAGE AND DESTRUCTION POLICY
1. PURPOSE OF THE POLICY
The purpose of this policy is to determine all the rules, roles and responsibilities to be applied throughout MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI in order to fulfill the obligations regarding the storage and destruction of personal data in accordance with Article 5 and 6 of the Regulation on Deletion, Destruction or Anonymization of Personal Data (Regulation), which was issued based on the Law on the Protection of Personal Data No. 6698 (Law) and published in the Official Gazette No. 30224 on 28.10.2017, and other obligations specified in the Regulation.
- SCOPE OF THE POLICY
The Policy covers personal data and sensitive personal data defined by Law No. 6698 kept throughout MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI (before), all MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI employees, managers, consultants and its affiliates, external service providers in all cases of personal data sharing, and real and legal persons with whom MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI has other legal relations.
The Policy covers personal data contained in systems where data is processed by fully or partially automated means or by non-automatic means, provided that it is part of any data recording system, as specified in the Law.
Unless otherwise stated in this Policy, personal data and sensitive personal data will generally be referred to as “Personal Data”.
- DEFINITIONS
- Anonymization: It refers to making personal data impossible to associate with an identified or identifiable natural person in any way, even if it is matched with other data.
- Destruction: It refers to the deletion or destruction of personal data,
- Personal Data: It refers to all kinds of information about an identified or identifiable real person,
❖ Personal Data Storage Table (Period): It refers to the table showing the periods during which personal data will be kept by MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERİ ANONIM SIRKETI.
- Personal Data Processing Inventory: It refers to the personal data processing activities carried out by data controllers depending on their business processes; to the inventory they create by associating personal data with the purposes of processing personal data, data category, transferred recipient group and data subject person group, and detailing the maximum period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries and the measures taken regarding data security.
- Deletion of Personal Data: It refers to the process of making personal data inaccessible and unusable for the relevant users in any way,
- Destruction of Personal Data: It refers to the process of making personal data inaccessible, irretrievable and unusable by anyone,
- Sensitive Personal Data: It refers to people’s race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data,
- Periodic destruction: It refers to the deletion, destruction or anonymization process specified in the personal data storage and destruction policy, which will be carried out ex officio at recurring intervals, in case all the conditions for processing personal data specified in the law are eliminated,
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
- Data recording system: It refers to the recording system in which personal data is structured and processed according to certain criteria,
- Direct identifiers: It refers to identifiers that, on their own, directly reveal, disclose and make distinguishable the person with whom they relate,
- Indirect identifiers: It refers to identifiers that, together with other identifiers, reveal, disclose and make distinguishable the person with whom they relate,
- Law: It refers to the Protection of Personal Data Law No. 6698 published in the Official Gazette No. 29677 dated 07.04.2016,
- Regulation: It refers to the Regulation on Deletion, Destruction or Anonymization of Personal Data published in the Official Gazette dated 28.10.2017 and numbered 30224,
- Board: It refers to the Protection of Personal Data Board,
- Recording medium: It refers to any environment where personal data is processed by fully or partially automated or non-automatic means, provided that it is part of any data recording system,
- Personal Data Protection and Processing Policy: It refers to the policy that determines the procedures and principles regarding the management of personal data held by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”, which can be accessed at ““https://massivebioinformatics.com/“,
- Data recording system: It refers to the recording system in which personal data is structured and processed according to certain criteria.
4. RECORDING MEDIUM REGULATED BY THE POLICY
All kinds of media containing personal data that are fully or partially automatic or processed by non-automatic means, provided that they are part of any data recording system, fall within the scope of the recording medium.
4.1. MEDIUM WHERE PERSONAL DATA IS STORED
Personal data stored by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” is kept in a recording medium appropriate to the nature of the relevant data and our legal obligations within the scope of ISMS (ISO 27001:2013).
The recording medium used for the storage of personal data are generally listed below. However, some data may be located and kept in a different environment than those shown here due to their special characteristics or our legal obligations. “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI..” acts as the data controller and processes and protects it within the scope of ISMS ( ISO 27001:2013 ) in accordance with the PPD Law, the Personal Data Protection and Processing Policy, this Personal Data Storage and Destruction Policy.
a) Printed media | These are the media in which data is stored by printing on paper or microfilms. |
b) Local digital media | Other digital media such as servers, hard or portable disks, optical disks within “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”. |
c) Cloud media | Although they are not part of MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI, they are the media in which internet-based systems encrypted with cryptographic methods are used, which are in the use of “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“. |
4.2. ENSURING THE SECURITY OF THE MEDIUM
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” takes all necessary technical and administrative measures within the scope of ISMS (ISO 27001:2013) in accordance with the characteristics of the relevant personal data and the medium in which they are kept, in order to store personal data securely and prevent them from being processed and accessed unlawfully.
These measures include, but are not limited to, the following administrative and technical measures within the scope of ISMS (ISO 27001:2013) to the extent appropriate to the nature of the relevant personal data and the medium in which they are kept.
4.2.1. Technical Measures
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” takes the following technical measures in accordance with the characteristics of all medium where personal data are stored, the relevant data and the medium where the data is kept:
- In the medium where personal data are stored, only up-to-date and secure systems suitable for technological developments are used, and security systems are used for the medium where personal data are stored.
- Security tests and researches are carried out to detect security vulnerabilities on information systems, and issues that pose a current or possible risk are eliminated as a result of the tests and researches carried out.
- Access to data is restricted to the medium where personal data is stored, and only authorized persons are allowed to access this data limited to the purpose of storing personal data.
- MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI has sufficient technical personnel to ensure the security of the medium where personal data are stored.
4.2.2. Administrative Measures
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” takes the following administrative measures within the scope of the PPD Law, in accordance with the characteristics of all medium where personal data are stored, the relevant data and the medium where the data is kept:
- Efforts are being made to increase the awareness of all “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” employees who have access to personal data on information security, personal data and privacy of private life.
- Legal and technical consultancy services are provided in order to follow the developments in the field of information security, privacy of private life and protection of personal data and to take the necessary actions.
- If personal data is transferred to third parties due to technical or legal requirements, protocols are signed with the relevant third parties for the purpose of protecting personal data, and all necessary care is taken to comply with the obligations of the relevant third parties in these protocols.
4.2.3. Internal Audit of the Company
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” carries out internal audits in accordance with the PPD Law regarding the implementation of the provisions of the Law and this Personal Data Storage and Destruction Policy and the Personal Data Protection and Processing Policy in accordance with Article 12 of the Law.
If deficiencies or defects related to the implementation of these provisions are detected as a result of internal audits, these deficiencies or defects will be corrected immediately.
If, during the audit or otherwise, it is understood that the personal data under the responsibility of “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” has been obtained by others through illegal means,
PERSONAL DATA STORAGE AND DESTRUCTION POLICY
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” shall notify the relevant party and the Board of this situation as soon as possible.
5. DUTIES AND POWERS OF THE PERSONAL DATA PROTECTION COMMITTEE
5.1. The Personal Data Protection Committee is responsible for announcing the Policy to the relevant business units and monitoring the fulfillment of its requirements by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ units.
5.2. The Personal Data Protection Committee makes the necessary announcements and notifications so that the relevant business units can follow up on situations such as legislative changes regarding the protection of personal data, regulatory actions and decisions of the Board, court decisions or changes in processes, applications and systems and, if necessary, update their business processes,
5.3. The Personal Data Protection Committee determines the processes for examining, evaluating, monitoring and finalizing the Law and its secondary regulations, the Board’s decisions and regulations, court decisions and other competent authorities’ decisions and/or requests, and announces them to the relevant units.
6. WHAT TO DO IN CASE THE CONDITIONS FOR THE PROCESSING OF PERSONAL DATA DISAPPEAR
6.1. If the purpose for processing personal data disappears, explicit consent is withdrawn, or all of the conditions for processing personal data set out in Articles 5 and 6 of the Law are eliminated, or if there is a situation where none of the exceptions in the mentioned articles are applicable, personal data whose processing conditions are no longer valid are deleted, destroyed or anonymized by the relevant business unit, taking into account business needs, within the scope of Articles 7, 8, 9 or 10 of the Regulation, and by explaining the justification of the method applied. However, in the event of a finalized court decision, the method of destruction ordered by the court decision must be applied.
6.2. All users and data owner “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ units that process or store personal data will review the data recording medium they use within four-month periods at the latest, whether the conditions related to the processing have been disappeared. Upon the application of the personal data owner or the notification of the Board or a court, the relevant users and units will conduct this review in the data recording medium they use, regardless of the periodic audit period.
6.3. As a result of periodic reviews or if it is determined that the data processing conditions have been disappeared at any time, the relevant user or data owner will decide to delete, destroy or anonymize the relevant personal data from the recording medium under his/her responsibility, in accordance with this policy. In cases of hesitation, the transaction will be made by obtaining the opinion of the relevant data owner business unit. When it is necessary to make a decision regarding the destruction of personal data with multi-stakeholder data ownership in the Central Information Systems, the opinion of the Personal Data Protection Committee will be obtained and the relevant data owner business unit will decide whether to store or delete, destroy or anonymize the personal data in accordance with this policy.
6.4. All transactions regarding the deletion, destruction or anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
6.5. In accordance with Article 7.4 of the Regulation, the methods applied in relation to the deletion, destruction or anonymization of personal data will be published and disclosed after the entry into force of the Policy.
6.6. In deleting, destroying or anonymizing personal data, it is mandatory to act in accordance with the general principles in Article 4 of the Law, the technical and administrative measures to be taken within the scope of Article 12, relevant legislative provisions, Board decisions and court decisions.
6.7. When a natural person who owns personal data requests the deletion, destruction or anonymization of his/her personal data by applying to “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” pursuant to Article 13 of the Law, the relevant data owner business unit examines whether all the conditions for processing
personal data have been eliminated. If all processing conditions are eliminated, it deletes, destructs or anonymizes the personal data subject to the request. In this case, the request is concluded within thirty days from the application date, the details of which are determined in the Data Destruction Procedure in the ISO 27001:203 Information Security Management System, and the relevant person is informed through the PPDL contact person appointed by the PPDL Officer. If all the conditions for processing personal data are eliminated and the personal data subject to the request is transferred to third parties, the relevant data owner business unit immediately notifies the third party to whom the transfer was made and ensures that the necessary actions are taken within the scope of the Regulation before the third party.
6.8. In cases where all the conditions for processing personal data are not eliminated, the requests of personal data owners for the deletion or destruction of their data may be rejected by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ by explaining the reason in accordance with the 3rd paragraph of Article 13 of the Law. The rejection response is notified to the relevant person in writing or electronically no later than 30 days.
6.9. Requests for deletion or destruction of personal data will be evaluated only on the condition that the identification of the relevant person has been made. In the requests to be made outside these channels, the relevant persons will be directed to the channels where identification or verification can be made.
7. ENFORCEMENT OF THE POLICY, VIOLATION CASES AND SANCTIONS
7.1. This Policy will enter into force by being announced on the website of “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ to all employees and personal data owners, and as of its validity, it will be binding for all business units, consultants, customers, insurance companies, external service providers and others who process personal data within the “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“.
7.2. It will be the responsibility of the supervisors of the relevant employees to monitor whether the employees of “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” fulfill the requirements of the Policy. If a violation of the policy is detected, the issue will be immediately reported to a senior supervisor who is connected by the supervisor of the relevant employee. If the violation is of a significant size, information will be provided to the Personal Data Protection Committee by the senior supervisor without wasting time.
7.3. The necessary administrative action will be taken against the employee who acts contrary to the policy after the evaluation to be made by Human Resources.
7.4. In order to fulfill the policy requirements, all necessary security measures are taken by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ within the scope of the PPD Law.
8. PERSONS WHO WILL BE INVOLVED IN THE STORAGE AND DESTRUCTION PROCESS OF PERSONAL DATA AND THEIR RESPONSIBILITIES
In fulfilling the requirements regarding the destruction of data specified in the Law, Regulation and Policy within the “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”, all employees, customers, insurance companies, consultants, external service providers and anyone else who stores and processes personal data within the “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI“ are responsible for fulfilling these requirements
Each business unit is obliged to store and protect the data it produces in its own business processes, but if the data produced exists only in information systems outside the control and authority of the business unit, the data in question will be stored by the units responsible for the information systems.
Periodic destructions that will affect business processes and cause deterioration of data integrity, data loss and results contrary to legal regulations will be carried out by the relevant information systems departments, taking into account the type of personal data, the systems in which it is located and the data owner business unit.
8.1. PERSONAL DATA PROTECTION COMMITTEE
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” establishes a Personal Data Protection Committee within its structure. The Personal Data Protection Committee is authorized and responsible for taking the necessary actions and supervising the processes to store and process the data of the relevant persons in accordance with the law, the Personal Data Protection and Processing Policy and the Personal Data Storage and Destruction Policy.
The Personal Data Protection Committee consists of at least three people: a director, an administrative specialist and a technical specialist. The titles and job descriptions of the “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” employees working in the Personal Data Committee are stated below:
Title | Job Description |
Director of the Personal Data Protection Committee | He or she is responsible for directing all kinds of planning, analysis, research and risk identification studies in projects carried out during the process of compliance with the law, managing the processes that must be carried out in accordance with the Law, Personal Data Protection and Processing Policy and Personal Data Storage and Destruction Policy, and deciding on the requests made by relevant persons. |
PPD Specialist (Contact Officer) (Technical and Administrative) | He or she is responsible for examining the requests of the relevant persons and reporting them to the Personal Data Committee Director for evaluation, carrying out the transactions regarding the requests of the relevant person, which are evaluated and decided by the Personal Data Committee Director, in accordance with the decision of the Personal Data Committee Director, auditing the storage and destruction processes and reporting these audits to the Personal Data Committee Director, carrying out the storage and destruction processes. |
8.2. REASONS FOR STORAGE AND DESTRUCTION
8.2.1. Reasons for Storage
Personal data held by MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI is stored in accordance with the Law and our Personal Data Policy (you can access the relevant policy at https://massivebioinformatics.com/cookies-privacy-policy/ , for the purposes and reasons stated here.
8.2.2. Reasons for Destruction
Personal data within “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” will be deleted, destroyed or anonymized upon the request of the relevant person or in case the reasons listed in Articles 5 and 6 of the Law are eliminated, ex officio, in accordance with this destruction policy. The reasons listed in Articles 5 and 6 of the PPDL Law consist of the following:
- It is clearly stipulated in the laws.
- It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity. It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- It was made public by the Relevant Person himself/herself.
- It is necessary to process data for the establishment, exercise or protection of a right.
- It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the Relevant Person.
8.3. METHODS OF DESTRUCTION
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”, deletes, destroys or anonymize the personal data it stores in accordance with the Law and other legislation and the Personal Data Protection and Processing Policy ex officio, upon the request of the relevant person or within the periods specified in this Personal Data Storage and Destruction Policy, in case the reasons requiring the processing of data disappear.
The most commonly used deletion, destruction and anonymization techniques by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” are listed below:
8.3.1.1 Methods of Deletion
Methods of Deletion for Personal Data Stored in Printed Media | |
Obscuration | The personal data contained in the printed medium are deleted using the obscuration method. The obscuration process is carried out in the form of cutting off the personal data on the relevant documents, if possible, and making it invisible using fixed ink, so that it cannot be returned and read with technological solutions in cases where it is not possible. |
Methods of Deletion for Personal Data Stored in the Cloud and Local Digital Media | |
Secure deletion from software | Personal data stored in the cloud or local digital media is deleted by digital command in such a way that it can never be recovered again. The data deleted in this way cannot be accessed again. |
8.3.1.2 Methods of Destruction
Methods of Destruction for Personal Data Stored in Printed Media | |
Physical destruction | Documents kept in printed media are destroyed with shredder machines so that they cannot be put back together. |
Methods of Destruction for Personal Data Stored in Local Digital Media | |
Physical destruction | It is the process of physical destruction of optical and magnetic media containing personal data, such as melting, burning or pulverizing. Data is rendered inaccessible by processes such as melting, burning, pulverizing, physically cutting and/or drilling optical or magnetic media, or passing it through a metal grinder. |
De-magnetizing (degauss) | It is the process of exposing magnetic media to a high magnetic field and corrupting the data on it in an unreadable way. |
Overwriting | Random data consisting of 0s and 1s is written on magnetic media and rewritable optical media at least seven times, preventing the reading and recovery of old data. |
Methods of Destruction for Personal Data Stored in Cloud Media | |
Secure deletion from software | Personal data stored in the cloud media is deleted by digital command in such a way that it can never be recovered again, and when the cloud computing service relationship ends, all copies of the encryption keys necessary to make the personal data usable are destroyed. The data deleted in this way cannot be accessed again. |
8.3.1.3. Methods of Anonymization
Anonymization means making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data.
Removing variables | It is the removal of one or more of the direct identifiers contained in the personal data of the relevant person and which can be used to identify the relevant person in any way. This method can be used to anonymize personal data, as well as to delete personal data if there is information that is not suitable for the purpose of data processing. |
Regional concealment | It is the process of deleting potentially distinctive information about exceptional data in a data table where personal data is collectively anonymous. |
Generalization | It is the process of bringing together the personal data of many people, removing their distinctive information and turning them into statistical data. |
Lower and upper limit coding / Global coding | For a certain variable, the ranges of that variable are defined and categorized. If the variable does not contain a numerical value, then the data that are close to each other in the variable are categorized. The remaining values in the same category are combined. |
Micro-merging | With this method, all the records in the dataset are first sorted in a meaningful order, and then the entire set is divided into a certain number of subsets. Then, the value of each subset of the specified variable is averaged and the value of that variable of the subset is replaced with the average value. In this way, since the indirect identifiers contained in the data will be corrupted, it will be difficult to associate the data with the relevant person. |
Data mixing and corruption | Direct or indirect identifiers in personal data are mixed with other values or corrupted, thus severing their relationship with the relevant person and causing them to lose their identifying qualities. |
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” uses one or more of these anonymization methods to anonymize personal data, depending on the nature of the relevant data. “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” may use K-Anonymity, L-Diversity and T-Closeness statistical methods when using these anonymization methods.
9. PERIODS OF STORAGE AND DESTRUCTION OF PERSONAL DATA
The Table Showing the Periods of Storage and Destruction of Personal Data is included in Annex 1. These storage and destruction periods will be taken into account in periodic destruction or destruction upon request. The Table Showing the Periods of Storage and Destruction of Personal Data will be updated by the business units that own the processes that will be included in the personal data inventory of MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI, in case of doubt, by taking the evaluations of the Personal Data Protection Committee.
9.1. Personal Data Storage Table (Periods)
DATA OWNER | DATA CATEGORY | DATA STORAGE PERIOD |
Employee | Personnel data based on recruitment documents and notifications to the Social Security Institution regarding length of service and wages | It is stored for a period of 50 (fifty) years during the continuation of the service contract and from its termination. |
Employee | Personal data other than personnel data based on recruitment documents and notifications to the Social Security Institution regarding length of service and wages | It is stored for a period of 10 (ten) years during the continuation of the service contract and from the beginning of the calendar year following its termination. |
Employee | Data Contained in the Workplace Personal Health File | It is stored for a period of 30 (thirty) years during the continuation of the service contract and from its termination. |
Business Partner/Solution Partner/Consultant | Identity information, contact information, financial information, voice recordings of phone calls, Business Partner/Solution Partner/Consultant employee data regarding the conduct of the commercial relationship between the Business Partner/Solution Partner/Consultant and MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI | It is stored for a period of 10 (ten) years in accordance with Turkish Code of Obligations Art.146 and Turkish Commercial Code Art.82, during and after the business/commercial relationship of the Business Partner/Solution Partner/Consultant with MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI. |
Visitor | Name, surname, ID number, vehicle license plate and camera records, voice recordings taken during phone calls of MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI. | It is stored for a period of 2 (two) years. |
Website Visitor | Name, surname, e-mail address, navigation movements information of the Website Visitor | It is stored for a period of 2 (two) years. |
Employee Candidate | The information contained in the Employee Candidate’s resume and job application form | It is stored for a maximum of 2(two) years, up to the period when the resume will lose its timeliness. |
Intern (student) | The information contained in the internship file belonging to the intern | It is stored for a period of 10 (ten) years during the continuation of the internship and from the beginning of the calendar year following its termination. |
Customer | Customer’s first name, last name, T.R. ID No., contact information, payment information and methods, navigation movements information, voice recordings received during phone calls, product/service preferences, transaction history, special day information | It is stored for 10 (ten) years from the presentation of each product/service purchased by the customer, in accordance with Turkish Code of Obligations Art. 146 and Turkish Commercial Code Art. 82. |
Customer | Camera recording, vehicle license plate information | It is stored for a period of 2 (two) years. |
Potential Customer | Identity information, contact information, financial information, voice recordings taken during phone calls received during contract negotiations regarding the establishment of a commercial relationship between the Potential Customer and MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI. | It is stored for a period of 2 (two) years. |
Institution / …………. (Supplier, Contract Manufacturer, Dealer/Franchise) “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” cooperates with | Identity information, contact information, financial information, voice recordings taken in phone calls, employee data of the Institution/ Company with which MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI cooperates regarding the execution of the commercial relationship between the Institution/Company with which “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” cooperates and MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI | It is stored for 10 (ten) years in accordance with the Turkish Code of Obligations Art. 146 and the Turkish Commercial Code Art. 82, during and after the business/ commercial relationship between the Institution/Company with which “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” cooperates and MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI |
* If a longer period is regulated in accordance with the legislation or if a longer period is stipulated for statute of limitations, retention periods, etc., the periods in the legislation provisions are considered as the maximum retention period.
9.2. Destruction Periods
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”, deletes, destructs or anonymizes personal data in the first periodic destruction process following the date on which the obligation to delete, destruct or anonymize personal data for which it is responsible arises in accordance with the law, relevant legislation, Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy.
When the relevant person requests the deletion or destruction of his/her personal data by applying to “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” pursuant to Art. 13 of the Law, the following is performed;
- If all the conditions for processing personal data have been eliminated; “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” deletes, destructs or anonymizes the personal data subject to the request within 30 (thirty) days from the day it receives the request, explaining the reason and using the appropriate destruction method. In order for MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI to be deemed to have received the request, the relevant person must have made the request in accordance with the Personal Data Protection and Processing Policy. “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI”, in any case, informs the relevant person about the transaction performed.
- If all the conditions for processing personal data have not been eliminated, this request may be rejected by “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” by explaining the reason in accordance with the third paragraph of Art. 13 of the Law, and the rejection response will be notified to the relevant person in writing or electronically within thirty days at the latest.
10. PERIODIC DESTRUCTION PERIODS
In case all of the conditions for processing personal data in the PPD Law No. 6698 are eliminated; “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” deletes, destructs or anonymizes the personal data whose
processing conditions have been eliminated, through a process specified in this Personal Data Storage and Destruction Policy, which will be carried out ex officio at recurring intervals.
Periodic destruction processes start for the first time on 30.09.2019 and repeat every 6 (six) months.
10.1. AUDIT OF THE LEGAL COMPLIANCE OF THE DESTRUCTION PROCESS
MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI carries out the destruction processes it carries out ex officio, both upon request and during periodic destruction processes, in accordance with the Law, other legislation, the Personal Data Protection and Processing Policy and this Personal Data Storage and Destruction Policy.
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” takes a number of administrative and technical measures to ensure that destruction operations are carried out in accordance with these regulations.
10.1.1. Technical Measures
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” provides technical tools and equipment suitable for each destruction method included in this policy.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” ensures the safety of the place where destruction operations are carried out.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” keeps the access records of the people who carry out the destruction process.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” employs competent and experienced personnel to carry out the destruction process or receives services from competent third parties when necessary.
10.1.2. Administrative Measures
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” works to increase and raise the awareness of its employees who will perform the destruction process on information security, personal data and privacy of private life.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” receives legal and technical consultancy services to follow the developments in the field of information security, privacy of private life, protection of personal data and safe destruction techniques and to take the necessary actions.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” signs protocols with the relevant third parties for the protection of personal data in cases where it has the destruction process done by third parties due to technical or legal requirements, and takes all necessary care to ensure that the relevant third parties comply with their obligations in these protocols.
- “MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” regularly checks whether the destruction processes are carried out in accordance with the law and the terms and obligations specified in this Personal Data Storage and Destruction Policy, and takes the necessary actions.
All transactions regarding the deletion, destruction and anonymization of personal data are recorded and these records are kept for at least three years, excluding other legal obligations.
- ENFORCEMENT
- The policy will enter into force as of the date of publication.
- It is the responsibility of the Personal Data Protection Committee to announce the policy throughout MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI and to make the necessary updates.
12. UPDATES AND COMPLIANCE
“MASSIVE BIOINFORMATICS ARGE TEKNOLOJILERI ANONIM SIRKETI” reserves the right to make changes in the Personal Data Protection and Processing Policy or this Personal Data Storage and Destruction Policy due to changes made in the Law, in accordance with the decisions of the Institution or in line with the developments in the sector or in the field of informatics.
The changes made to this Personal Data Storage and Destruction Policy are processed into the text without delay and the explanations related to the changes are explained at the end of the policy.